Re: Bind sanity check
On Sun, Dec 05, 1999 at 05:15:56PM +0000, Randy Edwards wrote:
> Here's what I've added to the bottom of Debian's default named.conf:
named.conf looks ok.
> ; BIND zone data file for golgotha.net domain
> ;
> $TTL 604800
> @ IN SOA golgotha.net. spartacus.golgotha.net. (
> 199912041 ; Serial
> 604800 ; Refresh
> 86400 ; Retry
> 2419200 ; Expire
> 604800 ) ; Negative Cache TTL
> ;
on the first line of the SOA record, you probably wanted to have
somethign like
@ IN SOA ns.golgotha.net spartacus.colgotha.net (
^^^
on grounds that you need to list the primary nameserver (ns.golgotha.net)
and the mailbox of the hostmaster.
> NS ns
you should consider getting a secondary NS. I think the RFC's request it,
and it's for your own good.
> MX 10 mail
> localhost A 127.0.0.1
>
> ns A 216.64.109.143
> MX 10 mail
> HINFO "i386-based" "GNU/Linux"
>
> www A 216.64.109.143
> MX 10 mail
> HINFO "i386-based" "GNU/Linux"
It always seemed clearer to me to use CNAME rr's for what you seem to be
trying to do here. For example:
www IN CNAME ns
It also has the advantage that if you ever need to renumber, you can only
change the address for nx.golgotha.net, and the rest will follow.
>
> mail A 216.64.109.143
> MX 10 mail
> HINFO "i386-based" "GNU/Linux"
>
> ftp A 216.64.109.143
> MX 10 mail
> HINFO "i386-based" "GNU/Linux"
> -snip-
>
> and also the db.rev.golgotha file:
>
> -snip-
> ;
> ; BIND zone data file for golgotha.net domain
> ;
> $TTL 604800
> @ IN SOA golgotha.net. spartacus.golgotha.net. (
> 199912041 ; Serial
> 604800 ; Refresh
> 86400 ; Retry
> 2419200 ; Expire
> 604800 ) ; Negative Cache TTL
> ;
> NS ns.golgotha.net.
>
> 216.64.109.143 PTR ns.golgotha.net.
> 216.64.109.143 PTR www.golgotha.net.
> 216.64.109.143 PTR mail.golgotha.net.
> 216.64.109.143 PTR ftp.golgotha.net.
> 216.64.109.143 PTR spartacus.golgotha.net.
This might get you in trouble with stuff like tcpd. Usually, an IP address
should resolve to a single fqdn. I'm not sure what the RFC's have to say
here, but I know I would stay far from that.
However, my experience with bind shows it will work even if the
configuration slightly violates the standards, so you might keep it as is,
if nobody complains.
> Questions: First, can anyone see any errors/problems/stupidity in the above?
Well, yes :-) See above.
> Secondly, what's the best way to implement private (192.168.*.*) machines
> into this DNS/domain? Is it best to have the private network machines in a
> bogus domain or not in a DNS at all but using a hosts file? Or is there a
> sane/secure way I can list the private machines in the DNS under their
> regular domain name?
When I needed to work with private addresses, I went ahead and installed two
bogus domains, one for host-to-address mapping and the other one for reverse
queries.
> Another, near trivial question, why is the Debian preference to use
> seconds for refresh/retry instead of the how-to's 8H and more readable
> format? Is this just to save the computational work of parsing "8H" and
> converting it?
Well, it always impresses chicks if you can tell how many seconds there are
in a week without thinking :-)))
Hope this helps,
---------------------------------------------------------------
Andrei D. Caraman phone: +40 (1) 2050 637
Sr Network Engineer fax: +40 (1) 2050 655
Mediasat SA
Reply to: